[thelist] Website Hacked?

Ken Schaefer Ken at adOpenStatic.com
Mon May 26 06:04:34 CDT 2008


Least privilege is always a good security practise, but SQL Injection attacks can be used to also read stuff from a database (e.g. you inject an additional SELECT statement that selects all usernames/passwords from the users table, and UNIONs them to an existing SELECT query result)

Cheers
Ken

> -----Original Message-----
> From: thelist-bounces at lists.evolt.org [mailto:thelist-
> bounces at lists.evolt.org] On Behalf Of Joost van Velzen
> Sent: Monday, 26 May 2008 7:02 PM
> To: thelist at lists.evolt.org
> Subject: Re: [thelist] Website Hacked?
>
> I don't know if the following applies, because I don't know whether the
> visitors of your website should be able to add content tot the
> database,
> but if they don't need to be able to do that, you can always make a
> Front-end SQL user. Which only allows the necessary, so no INSERT,
> UPDATE, ALTER, DROP & DELETE privileges.
>
> Cheers
>
> Joost




More information about the thelist mailing list